Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.rmit.EDU.AU!news.unimelb.edu.au!munnari.OZ.AU!uunet!in1.uu.net!206.154.70.8!news.webspan.net!feed1.news.erols.com!disgorge.news.demon.net!demon!dispatch.news.demon.net!demon!rill.news.pipex.net!pipex!bowl.news.pipex.net!pipex!weld.news.pipex.net!pipex!warm.news.pipex.net!pipex!tank.news.pipex.net!pipex!news.utell.co.uk!usenet
From: brian@shift.utell.net (Brian Somers)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: New Installation
Date: 23 May 1997 16:23:15 GMT
Organization: Awfulhak Ltd.
Message-ID: <5m4g9j$t29@ui-gate.utell.co.uk>
References: <EAI42z.L80@nonexistent.com> <5m18gk$aq7@ui-gate.utell.co.uk>
<33848701.953498@news.tiac.net> <EALpDE.1Fn@sphynx.fdn.fr>
<5m4b59$p51@lace.colorado.edu>
Reply-To: brian@awfulhak.org, brian@utell.co.uk
NNTP-Posting-Host: shift.utell.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Newsreader: knews 0.9.8
Lines: 44
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:41513
In article <5m4b59$p51@lace.colorado.edu>,
fcrary@rintintin.Colorado.EDU (Frank Crary) writes:
> In article <EALpDE.1Fn@sphynx.fdn.fr>,
> Philippe Causse <causse@sphynx.fdn.fr> wrote:
>>: > or put the current directory in your path (unsafe):
>
>>: This raises an interesting point. I'm probably just not thinking
>>: about the problem in the right way, but i can't seem to see
>>: what's "unsafe" about this. I've raised the question a few
>>: times in the past and nobody could actually tell me...
>
>>IIRC, this is one possible door for trojan horses.
>>This is related to a superuser doing a cd to a user account where a trojan
>>horse lieves. For example, user foo writes a fake "ls" program and leaves
>>it in his account. If mister Charlie Root goes to ~foo and does ls, he/she
>>will start the fake ls instead of the real one. Good time to steal setuid
>>bits !
>>But, IMHO, I thing mister Charly Root should not snoop around in mister
>>foo's home directory 8-p
>>Anyway, putting the "dot" directory at the end of the path is certainly
>>the safest location for it, I presume!
>
> Another problem is hiding a trojan horse. If the current directory
> is in a user's path, someone could run their own code and have is
> appear, in ``ps'' or ``top'' or whatever, as something like ``csh''.
> Very few system administrators would be suspicious seeing ``csh''
> running for a long time, while they might wonder about ``./a.out''
> if it were active for days.
But running programs like this can be overcome by saying
$ mv a.out csh
$ PATH=.:$PATH csh
If a user wants his program to "look" like something else, there's
not a lot you can do about it.
> Frank Crary
> CU Boulder
--
Brian <brian@awfulhak.org> <brian@freebsd.org>
<http://www.awfulhak.org>
Don't _EVER_ lose your sense of humour !